Inside LeakedSource and Its Database of 3 Billion Hacked Accounts

BY NOW IT’S hard to keep track of which companies have been hacked and which haven’t. Remember the FourSquare hack? What about Adobe? Even breaches that were high-profile at the time are fading into obscurity as bigger and scarier ones crop up. (Ahem, Yahoo.) And if you can’t remember what’s been hacked, you’re probably struggling to keep track of which leaks have included your personal data. That’s where “the Google of data breaches” comes in.

LeakedSource is a service that sends email notifications about new breaches and offers a database of information stolen in hacks. Its basic services—the ability to sign up for email notifications and search the database—are free, but users can pay to access more advanced search functionality. LeakedSource also provides a paid tool for businesses, so that they can notify users who have been affected by a breach. The project started in late 2015, and with just days to go in 2016, the group that runs LeakedSource is planning to release roughly 100 million more records from a “Chinese mega site” that hasn’t yet announced the hack, according to a LeakedSource representative. That will bring LeakedSource’s total for the year to a whopping three billion. It plans to publish 105 million more in early 2017, a combined total from 20-30 hacked sites.

Its mission is as much to tell users that their information is at risk as it is to pressure companies to disclose when they’ve been compromised—something that often happens far too slowly, if at all. Logging the data in breaches also allows users (individuals or large entities) to keep track of which of their accounts have been compromised and which pieces of their data are permanently out in the open. At the very least, it helps you keep track of which passwords you have to change. But it also allows people to see whether data points like their phone numbers are bouncing around in the wild connected to their name. You give so much information to the services you interact with, sometimes without even really consciously registering what you’re putting out there. It’s necessary to take back whatever control you can.

“It can admittedly get tiring to be ignored by breached companies 95 percent of the time and staring at database after database,” says a LeakedSource spokesperson. “We originally started this because people were asking where they could see if they are affected by XYZ breach, but they had no good answer since companies just don’t tell users about hacks.”

Team Effort

A small group of anonymous international members operates LeakedSource from an undisclosed location—the group says that “if nobody knows who we are or where our site is located, bad people can’t attack us.” Contributors use their varied skills to help run the site, administer the database, and analyze data. A spokesperson for LeakedSource said in a separate interview that some group members “have other sources of income and others are still in school.”

Some of the site’s biggest troves this year include over 360 million aging Myspace accounts, and more than 339 million users affected in the Adult Friend Finder hack. It’s like a more comprehensive, and more secretive, version of researcher Troy Hunt’s Have I Been Pwned, which has collected just under two billion records since 2013.

“While this project began as a hobby it has also turned into a very crucial public service and we believe we’ve educated much of the general public on the poor state of internet security,” the group explains in a FAQ published on Monday. “As an added bonus, we force the hands of breached companies to actually notify their users instead of sweeping it under the rug which [we] accomplish by notifying media outlets.”

Importantly, LeakedSource says that it only publishes information that is already publicly available online, and doesn’t publish data that hasn’t been posted anywhere else. A spokesperson also said that LeakedSource doesn’t pay for data dumps. “Over two billion of ‘our’ records are literally a Google search away. Go ahead and Google ‘download myspace database’ and it’ll be in the top five results, for example,” the representative says. “All we do is combine it in one easy to use location.” Records that aren’t obtained from the mainstream web come from “underground groups.” The service has operated for a little more than a year at this point, and LeakedSource says that it has had no interactions of any kind with law enforcement thus far.

Public Service (For Some Profit)

Its business model is not without controversy, though. The group doesn’t just maintain the databases, it also decrypts passwords and other data that comes out of hacks when possible. In one sense, that makes LeakedSource’s offerings more useful to companies and users alike, since it lets both search for specific data. LeakedSource says it offers this mechanism to, “satiate [user] curiosity which is a natural human tendency. For example if it’s not enough that we tell you your username was leaked from MySpace, for a couple dollars we’ll tell you WHICH username was leaked or which email, etc.”

It also, enables queries for other people’s information as well as your own. For people who rotate between a few passwords it’s useful to be able to look up which one was compromised in a breach; that way you know which other accounts you need to adjust and monitor, and which can stand pat. But offering such a service does create another public channel for would-be attackers to access the information, and some in the security community argue that LeakedSource is profiting off of breaches while possibly making security problems worse by doing all the work to groom leaked data.

“They’re basically trying to make some money off public information in a way that aids and abets crime in my opinion,” says John Michener, chief scientist at the security consulting firm Casaba Security. “There’s a lot of value to people knowing they’ve been popped, so if [LeakedSource] were serious about the public benefit part of it they could just send emails to every compromised email saying ‘hey, we picked you up in a compromised database.’ ”

The LeakedSource spokesperson says that the service’s operating costs “exceed the salary of most normal jobs so there has to be some sort of revenue or it just couldn’t function.”

The anonymity, too, has spawned concerns over accountability.

“There are other services like this that I would say are a little more reputable, because you know who’s running them and you know they’re making their money doing something else,” says Jared DeMott, the chief technical officer of the managed security company Binary Defense Systems. “With this one I’m hesitant to even punch my email into it because I don’t know who’s running it and what they do with that data. I think that’s probably why they want to hide because they understand that the data they’re holding is in a very foggy area ethically even though there is a big need for it and there’s a market for it.”

LeakedSource says that “under no circumstances” does it sell data about what people search for on its site. “Unlike free websites we don’t pay our bills with your information, you aren’t the product here,” the group says. It’s also adamant that its motives are completely apolitical. “It is demonstrably hazardous to one’s health to have a political agenda these days,” the spokesperson said, adding that when people try to leak sensitive data, such as government information, to LeakedSource, the group redirects would-be leakers “to more suited organizations such as Wikileaks.”

A Net Good

Despite unease from some corners, LeakedSource has its backers as well. The group says it has collaborated with reporters in the past to unearth breaches, rather than log into or probe services on its own. And it even has an advertiser in Netsparker, a UK-based company that develops a web application security scanner. “Quite frankly, even we don’t know their names” says Robert Abela, marketing manager at Netsparker. “But they’re not doing anything illegal, and if they want to remain anonymous that’s their own business question…As long as they’re providing a good service to the community and raising awareness, we’re behind them.”

It’s also far from the only service providing information about the data in big breaches. Instead, it’s part of what is hopefully a movement to create more tools that help consumers understand the status of their personal data and feel more empowered to defend it. The recent Yahoo breach, which included one billion user records stolen in 2013, is a reminder that the scale of individual breaches is firmly in the billions.